In this article, we’re going to discuss options you can take if you believe that someone is trying to phish one of your online accounts. As with most other articles on this page, we’re also focusing on how freelancers and small businesses can protect themselves from online threats. As your company grows and your ability to invest in your IT infrastructure increases, more options to reduce these risks come up. We’re also happy to talk about these if you get in touch with us.

What is Phishing?

Phishing attacks are attempts to get access to someone's information that allows the attacker to gain access to their online accounts like e-mail, social media, banks, etc. Attackers trick their victims into providing their username, password, and other information they use to login to their online services. There are a broad range of methods attackers can use, and phishing attacks also vary in how much they are optimized to succeed with specific types of victims.

It is relatively cheap for attackers to run these types of attacks, allowing them to perform them on a large scale or in a persistent manner.

What is Spear Phishing?

When people talk about spear phishing, they usually mean phishing attacks that aim at specific people or organizations. Instead of sending out the same phishing email to thousands of people with a generic message, they would focus on a small number of targets.

Focusing on specific victims allows the attacker to add more personalized content to these messages or send them out in a way that might resonate more with their victims. This increases the chance of success significantly. On the other hand, it’s also important to understand that running spear phishing attacks tends to be much more expensive for the attackers, as they have to do more research to better understand their targets.

Example of Spear Phishing

If an attacker wants to gain access to the email accounts of an employee working at a specific company, they might start with some spear phishing attacks.

As part of their preparation, they would gather useful information to make the phishing email seem more realistic and increase the likelihood of the victim clicking on it:

• What’s the company’s domain they use for work emails?

• Collect names and job titles of people working at said company

• Find out email addresses of said employees

• Understand who is in charge and how they work together

• Find out what type of collaboration tools they use

• Find out who their customers or suppliers are

• Get a list of topics and projects they work on.

Using this information a hacker will be able to write a more personalized and thus more effective phishing email. By knowing who is in charge at the company or what a potential victim is working on, they can be more personal and create an increased level of urgency that makes it more likely for the victim to be less careful.

There’s a great episode of the podcast called Reply-All that ran an internal phishing experiment in 2017 and describes how knowing the inner workings of the company allowed them to trick their CEO into getting phished.

Everyone can get phished - don’t blame the victim

As proven in the podcast mentioned above, it is not a sign of someone’s lack of knowledge if they end up getting phished. Thinking that underestimates the abilities of the attackers and puts blame on the victim. Instead, we should have empathy for how difficult it is to pay attention to every single step we take online and acknowledge that it’s not realistic to expect that all actions we take are as thought-through as they could be.

A better way to address this issue is to provide people with the right protections, so phishing attacks are less likely to succeed or, in some cases, not successful at all. Don’t assume that spear phishing attempts are easy to detect. They rarely meet the characteristics like spelling mistakes, bad formatting, etc. that people associate with phishing attacks. Assume that the attacker is smart and motivated.

Protections from Spear Phishing

The tools and techniques to perform spear attacks are getting more sophisticated and widely available. This means that more people can use them, and put more potential victim’s at risk of getting phished by targeted attacks.

If you’re a freelancer or own a small business, understanding ways your business's relevant online accounts can be protected from spear phishing attacks is a crucial part of your risk assessment.

Here are some basic tips that can make a spear phishing less likely to succeed:

• Improve the configuration of your email server

If you’re using email with your own domain, you have additional controls to improve the security of your email accounts. There are a couple of ways your email server can detect emails from senders that are not who they pretend to be. So-called spoofing emails pretend to come from a domain they don’t control. The protections you want to look out for are called DMARC (Domain-based Message Authentication, Reporting, and Conformance) , SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail).

Most email providers selling to businesses offer instructions on how to implement these protections. Contact support or check their help pages for more information.

• Use strong and unique passwords

Assume that the person performing a spear phishing attack has done their research and will know your pet’s name, your mother's maiden name, and maybe even the street you grew up on. They will also have checked if any of your credentials have leaked on the dark web.

• Use Two-Factor authentication

If an account is protected by an additional layer of security on top of the password, this will mean that an attacker has to get that code almost immediately before it expires. Even with spear phishing attacks, having two-factor authentication can make the attacker’s life harder.

The administrator of your business email instance can implement hard requirements for two-factor authentication for all employees.

• Use a password manager plugin in your browser

Not only does a password manager make it easier to come up with strong and unique passwords, but also reduces the risk of you providing your password to a phishing page. The auto-fill functionality of modern password managers checks for the right address to add the corresponding password.

• Take warnings seriously

If your email client tells you that an email comes from a potentially untrusted source or contains some malicious content, take this warning seriously. While these warnings are not 100% accurate, email providers like Google, Microsoft, etc. are constantly optimizing them.

On the other hand, just because there’s no warning doesn’t mean it’s safe.

• Be suspicious whenever you need to login

Especially for email services like Google Workspace or Microsoft 365, you don’t have to go through the full login flow all that often. Once you’re logged in on your device, you either don’t have to login again at all or you have to enter the password at a defined interval. If, by clicking on a link, you have to go through a login flow for a service you use every day, ask yourself if there’s something phishing going on.

• Talk to your employees and partners

It’s important for people to be aware of the risks of spear phishing. Talk to your employees about it and point them to resources like this on a regular basis. Mentioning it on the first day of work is a great start, but people tend to forget and need to be reminded on a regular basis.

FIDO Security Keys protect against Phishing

While I suggest you take the practices mentioned above seriously, they’re not a bullet-proof protection against phishing, especially when done in a targeted manner.

If you want to ensure that attackers can’t succeed with phishing attacks, using hardware keys is the best way to protect yourself. They are a physical object that the attacker doesn’t have access to in order to get into your accounts. We discussed the way you can use FIDO Security Keys in a recent blog post: FIDO Security Keys to protect your account.

We hope that this article will help you get your head around what spear phishing is and learn how you can protect yourself or your employees from being victims of such attacks. If you believe that you’re being directly targeted online, we can provide you with more help and information. Please contact us for a free informal consultation.